Closed Bug 368924 Opened 14 years ago Closed 7 years ago
turn on safe-browsing
I started with a new profile, and added an IMAP server account. I then when through the settings to customize things, and noticed that the "Use a downloaded list of email scams" option was *not* checked by default. I believe Firefox enables the downloaded anti-phishing list by default, so it seems like TB's pref should also default to enabled.
Actually... the feature won't be enabled at all - see bug 368635. (And the UI is no longer displayed.)
The bug said we wouldn't get it in Thunderbird 2. Can agreements be worked out for Thunderbird 3?
I sure hope so. I wonder who knows what the story is...
Assignee: mscott → nobody
Flags: blocking-thunderbird3? → blocking-thunderbird3+
Not sure if we can get this in b2, but...
Target Milestone: --- → Thunderbird 3.0b2
my understanding is that this requires legal approval from the anti-phishing provider. If that process hasn't started, then I don't see that we can get this for b2, so moving to b3
Target Milestone: Thunderbird 3.0b1 → Thunderbird 3.0b2
this still seems to be on the b2 list, actually moving to b3
Target Milestone: Thunderbird 3.0b2 → Thunderbird 3.0b3
adjusting status to make sure that i keep on top of it.
Status: NEW → ASSIGNED
rafael is going to take this on.
Assignee: david.ascher → rebron
We wouldn't block on this, I don't think.
I chatted with the Google folks on this. We can go ahead and a) use googpub-phish-shavar as the string and b) enable this pref by default. The string in Firefox is goog-phish-shavar and they're still checking to see if we can use it also. over to bienvenu.
Assignee: rebron → bienvenu
Here's the code that I think needs to change: http://mxr.mozilla.org/comm-central/source/mail/base/content/phishingDetector.js#76
this should be trivial to try...
Target Milestone: Thunderbird 3.0b3 → Thunderbird 3.0b4
Rafael, you were going to get me a bad url so I could tell if the code was working...
in theory this should fix it, though without knowing what a bad url might be, it's hard to test...
Rafael, can we get access to a malware list as well?
I'll get the list from MozQA.
David, Here's what I got from QA: http://www.phishtank.com/ (live examples) https://litmus.mozilla.org/show_test.cgi?id=6988
We may need to turn this pref on as well...I haven't been able to verify that this is working yet, though.
FYI, I applied the patch, and loaded a message with a link to http://www.mozilla.com/firefox/its-a-trap.html in it. Nothing happened.
1) I sent myself an email containing the url http://www.irs.gov.nuko7ur.eu/fraud_application/directory/statement.php?email=x&tid=rpowell-00000174073547US (which I got from phishtank.com), looked at it in the Sent folder, and got no warning. (going to that URL in firefox does trigger the red screen of scare) 2) Looking at the 'safebrowsing' prefs in both firefox and thunderbird, there seem to be a lot of differences. Feels like more work is needed.
Have you run with the second patch? I haven't checked anything in yet, and I haven't been able to verify that this works.
(In reply to comment #22) > Have you run with the second patch? I haven't checked anything in yet, and I > haven't been able to verify that this works. ah, sorry, I read my bug mail from newest to oldest and didn't see your comment. If we want this to potentially block, we should mark it blocking, otherwise it tends to fall off my radar :-(
Adding to blocker list, but changing title to indicate that what we should do is to figure out if it's easy, not that we'll block until this is fixed. It seems like a good security win if we can leverage the existing infrastructure, but if it's too hard, we can target it to the next release.
Flags: blocking-thunderbird3- → blocking-thunderbird3+
Summary: Scam list not enabled by default → investigate whether safebrowsing can be enabled cheaply
Don't we have to fork the UI and the strings that are currently in mozilla/browser for this? This will be hard given that we're three days away from the string freeze.
Are the patches in this bug really all that is needed here? If yes, then we don't need to worry about the upcoming string freeze for TB3 tomorrow, but if not, then we need to get traction on this bug ASAP.
The code in TB 2.0 basically made a copy of the FF 2 phishing stuff, and left the db stuff turned off. The current FF anti-phishing stuff is somewhat different, and to get this to work, I think I'd need to re-copy the current FF code. I made a quick stab at it, and it didn't work. So this is looking a bit iffy. Re the string freeze, the current design is to show the same warning for message with black-listed urls as we do for manually detected bad urls, i.e., no string changes needed.
taking off blocking - I'd love to do this, but I'm not going to block on it.
Flags: blocking-thunderbird3+ → blocking-thunderbird3.1+
Summary: investigate whether safebrowsing can be enabled cheaply → turn on safe-browsing
We really really want this. That said, if it were the last bug standing, I don't believe we'd hold 3.1 for much time to get it, so I'm marking blocking- and wanted+. clarkbw, I suspect this does want to live on our soon-to-be-created medium-term-feature-focus page. Do you agree? If so, can you add it to your list? Also, I'm still not totally sure how the feature-focus wiki pages and our wanted flags should interact. Thoughts there appreciated.
What needs to be done to go forward with this ?
Someone needs to figure out how to adapt the new FF anti-phishing code to Thunderbird.
Assignee: dbienvenu → nobody
The patch uses googpub-phish-shavar (Camino too), but Firefox and Fennec are using goog-phish-shavar: http://mxr.mozilla.org/mozilla-central/source/browser/components/safebrowsing/content/application.js#112 What are the differences?
Prolly only Google knows that, but comment 11 and various other bugs related to this (i.e. for Iceweasel) seem to suggest that Google uses googpub for data-users that aren't as extensively checked for correct behavior as current Firefox is.
Is this important in any strategic sense?
Status: ASSIGNED → NEW
Target Milestone: Thunderbird 3.0rc1 → ---
(In reply to Wayne Mery (:wsmwk) from comment #35) > Is this important in any strategic sense? I don't see any strategic reason why this should be given particular consideration. Yes it would be nice to have.
Obsoleted by bug 778611.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 778611
You need to log in before you can comment on or make changes to this bug.